Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple details secure 'touchless' e-wallet strategy in patent filing

Last updated

Apple has been coy in revealing its plans for a touchless payment solution, but a patent filing discovered on Thursday gives clues as to where the company is headed.

Tech companies like Google are looking to streamline real world payments with so-called "e-wallet" solutions based on touchless technology like NFC. Despite a market heavily saturated with smart devices that would serve as optimal platforms for such systems, a clear frontrunner has yet to emerge.

While Apple is said to be working on a mobile payments solution, it has taken a "go slow" approach to the still nascent market. Over the past months, the company has been quietly laying groundwork for a possible reveal, however, first with Passbook, and more recently iBeacon. At this point, the endgame is unknown, but a patent filing discovered today may play a role in Apple's grand design.

The U.S. Patent and Trademark Office published Apple's application for a "Method to send payment data through various air interfaces without compromising user data," which details a readily deployable digital system based on existing mobile hardware technology. Prior to today's filing, most of Apple's payment-minded patents have focused on use case scenarios, not backend infrastructure.

Payment

The patent language notes that the invention covers a commercial transaction method in which a purchasing device, such as an iPhone, finds and establishes a secure connection to a point of sale system via a first wireless interface. Following link up, the device identifies a second, different wireless interface to connect to a backend server for transaction completion.

According to the document summary, the first secure connection can be accomplished via near-field communications modules — or like technology — and is provided to initiate the sales process. Here, NFC is used as an example and the patent points out that other wireless protocols can be used as necessary. In addition, the invention notes that a "bump" may be used to start the connection sequence.

It should be noted that Apple has shown more interest in Bluetooth than NFC, especially given the introduction of iBeacon technology, which rolled out in Apple Stores across the U.S. in December. Based on the Bluetooth Low Energy protocol, iBeacon has the potential to combine the benefits of NFC's limited proximity operation with increased range if needed. Bandwidth is also higher than NFC, allowing for more complex security implementations and data transfer.

Because holding a phone next to a cash register may be uncomfortable, a second more robust wireless interface is used to complete the transaction.

Along with Wi-Fi, the patent application names Bluetooth as a candidate wireless protocol for the second secure link with a store's backend server. This secondary connection does the heavy lifting in Apple's invention, including credit card handling, transfer of cryptogrphical data and user verification.

Passing sensitive credit card information stored on board a device through to a POS or backend server is dangerous as rogue apps may steal the data as it moves through the applications processor. Instead, the invention calls on a "secure element" located on-board a device to generate an alias for customer account information, which is then sent to the server along with a shared secret, or crypto key.

Mentioned multiple times in the patent language, the "secure element" appears to operate in a similar fashion as the "secure enclave" found in the iPhone 5s' A7 system-on-a-chip. In its current form, the enclave serves to protect Touch ID fingerprint data from snooping apps, but the system could potentially be used to safeguard payment information as well. As it is, both the patent and the existing secure enclave create aliases for outgoing data.

Touch ID

Once the alias is received at the backend server, it is verified by crypto data. Examples of viable secure solutions include a digitally-signed combination of one or more aliases, random numbers, merchant identifiers or other values.

To verify that the alias and crypto data match, the purchase device and server may communicate a shared secret. A shared secret can be a symmetric key stored in the secure element when the device is manufactured, then transmitted to the server backend behind a secure firewall. Another example is a specific counter value known independently on the device and server.

When a transaction request is received at the server, it generates crypto data from its own version of the shared secret and compares it to the crypto data sent over by the purchasing device to confirm the alias. If a match is found, the transaction is allowed to go through. In the case of a no-match, the transaction is cancelled and the wireless connection is terminated.

A simplification of the process is as follows: A purchase device initiates a transaction with a POS device via a close-proximity wireless protocol like iBeacon or NFC. The phone then sniffs out and connects to the server backend via a second wireless protocol, sending an alias for credit card information alongside a crypto key generated from a shared secret. These sensitive assets are stored in a secure element on the phone. On the server end, the backend generates a crypto key based on the shared secret and compares it with the data provided by the phone. If everything matches, the transaction is a go.

Payment

At this point, it is unclear if Apple will ever institute the above described system in a payments solution, though the company's most recent hardware and software advancements do point in that general direction.

It can be speculated that users may one day be able to use Touch ID to complete transactions by accessing credit card or banking information stored in an on-board secure enclave. Of course, merchants would have to agree to modifications to POS and backend systems for the solution to work. From what can be gathered by early iBeacon adoption, however, it appears that retailers may be ready for an Apple-made answer to mobile payments.

Apple's wireless interface payment patent application was first filed for in 2012 and credits Ahmer A. Khan, Brian J. Tucker, David T. Haggerty and Scott M. Herz as its inventors.



25 Comments

philboogie 7669 comments · 15 Years

[quote name="AppleInsider" url="/t/161602/apple-details-secure-over-the-air-e-wallet-strategy-in-patent-filing#post_2458373"]In addition, the invention notes that a "bump" may be used to start the connection sequence.[/quote] Bummer [quote]^ article[/quote] Sounds like a secure system. Amazing that we have a mobile device that can do all the processing. How far we've come. [quote]Of course, merchants would have to agree to modifications to POS and back-end systems for the solution to work.[/quote] And there's the problem. I wonder what this will entail, exactly. Specialized software? From Apple, requiring a Mac? (Implementation) costs? It's 'easy' to design some method on paper, but with all ramifications I have no doubt there are many great ideas, never to see the light of day because of the amount of work or costs involved.

mieswall 84 comments · 12 Years

In 2012 this filling was mentioning a secure device, released as touchid over a year later. Payment design is probably much more detailed by now at Apple's labs. Imho, this will turn out to be the biggest thing for Apple in the coming years. This is why they are piling so much cash.

acatomic 60 comments · 11 Years

[QUOTE]And there's the problem. I wonder what this will entail, exactly. Specialized software? From Apple, requiring a Mac? (Implementation) costs?[/QUOTE] There are some iPad POS on the market.

formosa 261 comments · 11 Years

Isn't this somewhat how Airdrop works? The BT link establishes connection, and the WiFi link does the high throughput. In this case, both links can be used for extra security (shared key). This dual link is a novel approach to throughput AND security. Can't wait to see how TouchID plays out with this.

flaneur 4525 comments · 14 Years

[quote name="mieswall" url="/t/161602/apple-details-secure-touchless-e-wallet-strategy-in-patent-filing#post_2458382"]In 2012 this filling was mentioning a secure device, released as touchid over a year later. Payment design is probably much more detailed by now at Apple's labs. Imho, this will turn out to be the biggest thing for Apple in the coming years. This is why they are piling so much cash.[/quote] I agree that making the world's commerce easier and more secure could be a very big market for Apple (or anyone else), but where's the need for the big cash pile? Serious question. I can see that Apple is going to need data centers around the world for this and other services like FaceTime, iMessage, iCloud, Siri, but e-commerce? Where's the need for large capital?